diff --git a/src/main/java/com/monkeyk/sos/config/AuthorizationServerConfigurer.java b/src/main/java/com/monkeyk/sos/config/AuthorizationServerConfigurer.java new file mode 100644 index 0000000..13a22ba --- /dev/null +++ b/src/main/java/com/monkeyk/sos/config/AuthorizationServerConfigurer.java @@ -0,0 +1,64 @@ +package com.monkeyk.sos.config; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Configuration; +import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer; +import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter; +import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer; +import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer; +import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer; +import org.springframework.security.oauth2.provider.ClientDetailsService; +import org.springframework.security.oauth2.provider.approval.UserApprovalHandler; +import org.springframework.security.oauth2.provider.code.AuthorizationCodeServices; +import org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler; +import org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint; +import org.springframework.security.oauth2.provider.token.DefaultTokenServices; + +/** + * 2016/4/4 + * + * @author Shengzhao Li + */ +//AuthorizationServer +@Configuration +@EnableAuthorizationServer +public class AuthorizationServerConfigurer extends AuthorizationServerConfigurerAdapter { + +// @Autowired +// private DefaultTokenServices tokenServices; + + @Autowired + private UserApprovalHandler userApprovalHandler; + + @Autowired + private AuthorizationCodeServices authorizationCodeServices; + @Autowired + private ClientDetailsService clientDetailsService; + @Autowired + private OAuth2AccessDeniedHandler oauth2AccessDeniedHandler; + @Autowired + private OAuth2AuthenticationEntryPoint oAuth2AuthenticationEntryPoint; + + @Override + public void configure(ClientDetailsServiceConfigurer clients) throws Exception { + clients.withClientDetails(clientDetailsService); + } + + + @Override + public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { + endpoints.userApprovalHandler(userApprovalHandler) +// .tokenServices(tokenServices) + .authorizationCodeServices(authorizationCodeServices); + } + + @Override + public void configure(AuthorizationServerSecurityConfigurer security) throws Exception { + security.accessDeniedHandler(oauth2AccessDeniedHandler) + .authenticationEntryPoint(oAuth2AuthenticationEntryPoint) + .allowFormAuthenticationForClients(); + security.realm("spring-oauth-server_realm"); + } + + +} diff --git a/src/main/java/com/monkeyk/sos/config/ServletInitializer.java b/src/main/java/com/monkeyk/sos/config/ServletInitializer.java index 42619c8..3116998 100644 --- a/src/main/java/com/monkeyk/sos/config/ServletInitializer.java +++ b/src/main/java/com/monkeyk/sos/config/ServletInitializer.java @@ -23,7 +23,10 @@ public class ServletInitializer extends AbstractAnnotationConfigDispatcherServle @Override protected Class[] getRootConfigClasses() { - return new Class[]{ContextConfigurer.class, WebSecurityConfigurer.class}; + return new Class[]{ContextConfigurer.class, + WebSecurityConfigurer.class, + AuthorizationServerConfigurer.class, + UnityResourceServerConfigurer.class}; } @Override diff --git a/src/main/java/com/monkeyk/sos/config/UnityResourceServerConfigurer.java b/src/main/java/com/monkeyk/sos/config/UnityResourceServerConfigurer.java new file mode 100644 index 0000000..3fc320b --- /dev/null +++ b/src/main/java/com/monkeyk/sos/config/UnityResourceServerConfigurer.java @@ -0,0 +1,52 @@ +package com.monkeyk.sos.config; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Configuration; +import org.springframework.security.access.AccessDecisionManager; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.http.SessionCreationPolicy; +import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer; +import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter; +import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer; + +/** + * 2016/4/4 + * + * @author Shengzhao Li + */ +// unity-resource +@Configuration +@EnableResourceServer +public class UnityResourceServerConfigurer extends ResourceServerConfigurerAdapter { + + + @Autowired + private AccessDecisionManager oauth2AccessDecisionManager; + + @Override + public void configure(ResourceServerSecurityConfigurer resources) { + resources.resourceId("unity-resource").stateless(false); + } + + @Override + public void configure(HttpSecurity http) throws Exception { +// final DefaultWebSecurityExpressionHandler expressionHandler = new DefaultWebSecurityExpressionHandler(); +// expressionHandler.setExpressionParser(); + + http.sessionManagement() + .sessionCreationPolicy(SessionCreationPolicy.NEVER) + .and() + .requestMatchers().antMatchers("/unity/**") + .and() + .authorizeRequests() +// .expressionHandler(expressionHandler) + .antMatchers("/unity/**") +// .access("hasRole('ROLE_UNITY') and hasRole('SCOPE_READ')") + .access("#oauth2.clientHasRole('ROLE_UNITY') and #oauth2.isClient() and #oauth2.hasScope('read')") + .accessDecisionManager(oauth2AccessDecisionManager) + .and().csrf().disable(); + + } + +} + diff --git a/src/main/java/com/monkeyk/sos/config/WebSecurityConfigurer.java b/src/main/java/com/monkeyk/sos/config/WebSecurityConfigurer.java index 2b9e73d..862ba1e 100644 --- a/src/main/java/com/monkeyk/sos/config/WebSecurityConfigurer.java +++ b/src/main/java/com/monkeyk/sos/config/WebSecurityConfigurer.java @@ -11,9 +11,6 @@ import org.springframework.security.access.vote.AuthenticatedVoter; import org.springframework.security.access.vote.RoleVoter; import org.springframework.security.access.vote.UnanimousBased; import org.springframework.security.authentication.AuthenticationManager; -import org.springframework.security.authentication.AuthenticationProvider; -import org.springframework.security.authentication.ProviderManager; -import org.springframework.security.authentication.dao.DaoAuthenticationProvider; import org.springframework.security.authentication.encoding.Md5PasswordEncoder; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; @@ -23,7 +20,6 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur import org.springframework.security.oauth2.provider.ClientDetailsService; import org.springframework.security.oauth2.provider.OAuth2RequestFactory; import org.springframework.security.oauth2.provider.approval.UserApprovalHandler; -import org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter; import org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService; import org.springframework.security.oauth2.provider.code.AuthorizationCodeServices; import org.springframework.security.oauth2.provider.code.JdbcAuthorizationCodeServices; @@ -31,14 +27,12 @@ import org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHand import org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint; import org.springframework.security.oauth2.provider.expression.OAuth2WebSecurityExpressionHandler; import org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory; -import org.springframework.security.oauth2.provider.token.DefaultTokenServices; import org.springframework.security.oauth2.provider.token.TokenStore; import org.springframework.security.oauth2.provider.token.store.JdbcTokenStore; import org.springframework.security.oauth2.provider.vote.ScopeVoter; import javax.sql.DataSource; import java.util.Arrays; -import java.util.List; /** * 2016/4/3 @@ -114,14 +108,14 @@ public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter { } - @Bean(name = "tokenServices") - public DefaultTokenServices tokenServices(TokenStore tokenStore, ClientDetailsService clientDetailsService) { - final DefaultTokenServices tokenServices = new DefaultTokenServices(); - tokenServices.setTokenStore(tokenStore); - tokenServices.setClientDetailsService(clientDetailsService); - tokenServices.setSupportRefreshToken(true); - return tokenServices; - } +// @Bean(name = "tokenServices") +// public DefaultTokenServices tokenServices(TokenStore tokenStore, ClientDetailsService clientDetailsService) { +// final DefaultTokenServices tokenServices = new DefaultTokenServices(); +// tokenServices.setTokenStore(tokenStore); +// tokenServices.setClientDetailsService(clientDetailsService); +// tokenServices.setSupportRefreshToken(true); +// return tokenServices; +// } @Bean(name = "oAuth2RequestFactory") public OAuth2RequestFactory oAuth2RequestFactory(ClientDetailsService clientDetailsService) { @@ -158,13 +152,13 @@ public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter { } - @Bean(name = "oauth2AuthenticationManager") - public AuthenticationManager oauth2AuthenticationManager(ClientDetailsUserDetailsService detailsService) { - DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider(); - daoAuthenticationProvider.setUserDetailsService(detailsService); - List providers = Arrays.asList(daoAuthenticationProvider); - return new ProviderManager(providers); - } +// @Bean(name = "oauth2AuthenticationManager") +// public AuthenticationManager oauth2AuthenticationManager(ClientDetailsUserDetailsService detailsService) { +// DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider(); +// daoAuthenticationProvider.setUserDetailsService(detailsService); +// List providers = Arrays.asList(daoAuthenticationProvider); +// return new ProviderManager(providers); +// } @Bean(name = "oauth2AccessDecisionManager") @@ -182,14 +176,22 @@ public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter { } - @Bean(name = "clientCredentialsTokenEndpointFilter") - public ClientCredentialsTokenEndpointFilter clientCredentialsTokenEndpointFilter(AuthenticationManager oauth2AuthenticationManager) { - ClientCredentialsTokenEndpointFilter clientCredentialsTokenEndpointFilter = new ClientCredentialsTokenEndpointFilter(); - clientCredentialsTokenEndpointFilter.setAuthenticationManager(oauth2AuthenticationManager); - return clientCredentialsTokenEndpointFilter; - } - - +// @Bean(name = "clientCredentialsTokenEndpointFilter") +// public ClientCredentialsTokenEndpointFilter clientCredentialsTokenEndpointFilter(AuthenticationManager oauth2AuthenticationManager) { +// ClientCredentialsTokenEndpointFilter clientCredentialsTokenEndpointFilter = new ClientCredentialsTokenEndpointFilter(); +// clientCredentialsTokenEndpointFilter.setAuthenticationManager(oauth2AuthenticationManager); +// return clientCredentialsTokenEndpointFilter; +// } +// @Configuration +// @EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true) +// protected static class MethodSecurityConfig extends GlobalMethodSecurityConfiguration { +// +// +// @Override +// protected MethodSecurityExpressionHandler createExpressionHandler() { +// return new OAuth2MethodSecurityExpressionHandler(); +// } +// } }